According to the Internet, older UNIX systems stored the salted, hashed passwords in /etc/passwd. Now, these are placed in the no-read /etc/shadow/ (or a variant). The flag06 is a one way hash, but John the Ripper can crack it. No special permissions are required to use it.

If we run the script with perl, getflag still runs as the level07 user. The vulnerability exists in thttpd.conf, which runs commands as flag07 (user=flag07). Capturing the flag requires using thttpd.conf.

ps aux shows that a web server using thttpd is running. Using wget localhost:7007/index.cgi, the parameter is passed in as the flag07 user.

Level 8

Description(full): Examine a capture.pcap file to see what flag08 was doing.

After mucking around with tcpdump in ASCII mode, however, it’s clear that the output is still unintelligible. The Internet (broadly speaking) suggests Wireshark (and its command line counterpart, tshark) to examine packets, but the virtual machine doesn’t have these. However, a program named tcpflow is available.

After the Password: prompt, the flag08 user typed “backdoor…00Rm8.ate”. A few tries for su flag08 with backdoor and backdoor...00Rm8.ate are unsuccessful. But if we believe that:
1. the password is based on words
2. each packet represents a key press to the server
“Backdoor mate” could be backdoorm8, backd00Rm8, etc. If the period represents deletion, then the password is backd00Rmate.

$ su flag08
Password:sh-4.2$ getflag

Level 9

Description(full): Exploit a C wrapper for a PHP script. The PHP script uses one argument but accepts a second, unused one – $useme.